Add Codex OAuth provider flow for ChatGPT account sign-in (#503)

* feat: add Codex OAuth provider flow * fix: harden Codex OAuth storage, session activation, and UI
2026-04-13 11:34:16 -03:00
parent 252808bbd0
commit fc7dc9ca0d
34 changed files with 5187 additions and 508 deletions
--- a/src/utils/providerSecrets.ts
+++ b/src/utils/providerSecrets.ts
@@ -0,0 +1,107 @@
+const SECRET_ENV_KEYS = [
+  'OPENAI_API_KEY',
+  'CODEX_API_KEY',
+  'GEMINI_API_KEY',
+  'GOOGLE_API_KEY',
+  'MISTRAL_API_KEY',
+] as const
+
+export type SecretValueSource = Partial<
+  Record<(typeof SECRET_ENV_KEYS)[number], string | undefined>
+>
+
+export function sanitizeApiKey(
+  key: string | null | undefined,
+): string | undefined {
+  if (!key || key === 'SUA_CHAVE') return undefined
+  return key
+}
+
+function looksLikeSecretValue(value: string): boolean {
+  const trimmed = value.trim()
+  if (!trimmed) return false
+
+  if (trimmed.startsWith('sk-') || trimmed.startsWith('sk-ant-')) {
+    return true
+  }
+
+  if (trimmed.startsWith('AIza')) {
+    return true
+  }
+
+  return false
+}
+
+function collectSecretValues(
+  sources: Array<SecretValueSource | null | undefined>,
+): string[] {
+  const values = new Set<string>()
+
+  for (const source of sources) {
+    if (!source) continue
+
+    for (const key of SECRET_ENV_KEYS) {
+      const value = sanitizeApiKey(source[key])
+      if (value) {
+        values.add(value)
+      }
+    }
+  }
+
+  return [...values]
+}
+
+export function maskSecretForDisplay(
+  value: string | null | undefined,
+): string | undefined {
+  const sanitized = sanitizeApiKey(value)
+  if (!sanitized) return undefined
+
+  if (sanitized.length <= 8) {
+    return 'configured'
+  }
+
+  if (sanitized.startsWith('sk-')) {
+    return `${sanitized.slice(0, 3)}...${sanitized.slice(-4)}`
+  }
+
+  if (sanitized.startsWith('AIza')) {
+    return `${sanitized.slice(0, 4)}...${sanitized.slice(-4)}`
+  }
+
+  return `${sanitized.slice(0, 2)}...${sanitized.slice(-4)}`
+}
+
+export function redactSecretValueForDisplay(
+  value: string | null | undefined,
+  ...sources: Array<SecretValueSource | null | undefined>
+): string | undefined {
+  if (!value) return undefined
+
+  const trimmed = value.trim()
+  if (!trimmed) return trimmed
+
+  const secretValues = collectSecretValues(sources)
+  if (secretValues.includes(trimmed) || looksLikeSecretValue(trimmed)) {
+    return maskSecretForDisplay(trimmed) ?? 'configured'
+  }
+
+  return trimmed
+}
+
+export function sanitizeProviderConfigValue(
+  value: string | null | undefined,
+  ...sources: Array<SecretValueSource | null | undefined>
+): string | undefined {
+  if (!value) return undefined
+
+  const trimmed = value.trim()
+  if (!trimmed) return undefined
+
+  const secretValues = collectSecretValues(sources)
+  if (secretValues.includes(trimmed) || looksLikeSecretValue(trimmed)) {
+    return undefined
+  }
+
+  return trimmed
+}